Here's the case:
A customer of mine called today because they suspect they have a virus or other malware. I picked up the machine and am capturing an image with FTK-Imager-lite as we speak. I am going to clean the live PC and give it back to the customer and use the image to attempt to figure out exactly what the infection mechanism was. I will detail my processes and findings here on the blog in hopes of attracting tips, comments and guidance from anyone in the audience.
Customer complaint of popups and slow overall performance on March 18th 2010.
Collected PC in a powered down state from the customer site March 19th at 0945
Extracted hard drive at 1200 March 19th.
Mounted Read-Only on my Ubuntu workstation at 1205 and began imaging with FTK-lite from a WinXP VM at 1212, raw image format, dumping to Fantom 1 TB USB drive formatted NTFS, clean wiped using dd.
Estimated image completion time is ~12 hours.
Infected machine specs:
HP DX2300/XP Pro SP3/Trend Micro Antivirus/1GB RAM/Core2 Duo/160GB Sata HD
Once imaging is complete I will boot up the machine and capture RAM using memoryze for later analysis.
Any and all suggestions are welcome.
More to follow....